S3 Interface Endpoint from On-Prem Acccess Denied
Hello,
We have S3 Endpoint (interface type) created at eu-west-1 region.
We are trying to write to the buckets using the DNS created in eu-west-1 from our on-premise location connected via Direct Connect.
DNS: *.vpce-1234567890-abcd2zc.s3.eu-west-1.vpce.amazonaws.com
I have given the following permission in the bucket policy to write to these bucket but still when we try to upload/write to this bucket, we are getting Access Denied error as below.
{
"Version": "2008-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:PutObjectAcl",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3::<bucket-name>/*",
"arn:aws:s3:::<bucket-name>"
]
},
{
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:PutObjectAcl",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::<bucket-name>/*",
"arn:aws:s3::<bucket-name>
]
}
]
}
OTErrWrnLn||ERROR||-1||SERVICE||GBS3||<Bucket_Name> Access Denied (Service: Amazon S3; Status Code: 403; Error Code: AccessDenied; Request ID: 0QWNYWPJZY14EGRC; S3 Extended Request ID: sXic/CHy/OU5oakn7MBb6UESIbggdr9IxaILUiVuGMeUu7iZTUpIUpLeIUieNs82g6jXdBdQ3sU=)||-1||-1||-1|| Access Denied
I would like to know what permission is required to write to this bucket from on-premise please. Or any other steps or configuration I need to apply please.
When I run nslookup on the s3 endpoint from the on-prem server, it resolves to private IP.
BTW, it works when I enable Allow Public Access.
Thank you
When you say "I run nslookup on the s3 endpoint from the on-prem server, it resolves to private IP", what s3 endpoint do you mean? At some point you need to override DNS resolution of the standard s3 service name (as opposed to your vpc endpoint domain name) so that it no longer maps to a public IP. Within a VPC you can do that by directly overriding with a Private Hosted Zone, but in your hybrid situation where you need to do this on-prem, you need to delegate resolution via a Route 53 Resolver Endpoint. See for example https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver.html.
A couple of the Resources in your policy don't look right - they are "s3::<bucket-name>" instead of "s3:::<bucket-name>". If you still have problems, what are you using to access S3 from on-prem?
Relevant questions
Lambda in VPC Can't PutObject Despite S3 Endpoint
asked a year agoBenefits to S3 cross-region access with VPC peered interface endpoints vs. public internet using NAT gateways?
Accepted Answerasked 4 months agoHow do I create a VPC Endpoint for S3 Interface?
asked 5 months agoWhich is the default region "aws s3" connects by default from EC2?
Accepted Answerasked 2 years agoS3 Interface Endpoint
Accepted Answerasked 5 months agoSQS interface endpoint for cross region access
Accepted Answerasked a year agoCould not connect to the endpoint URL: "https://s3.local.amazonaws.com/"
asked a year agoS3 Interface Endpoint from On-Prem Acccess Denied
asked 21 days agoDoes the IP address created for PrivateLink Interface Endpoint can change?
Accepted Answerasked 4 years agoBuckets created in AF-South-1 cannot be accessed through global endpoint
asked 2 years ago
The nslookup is on the S3 endpoint DNS: *.vpce-1234567890-abcd2zc.s3.eu-west-1.vpce.amazonaws.com which we are using to connect from on-premise and resolves to private IP.